Date: Mon, 18 Feb 2002 10:33:10 +0200 From: "Patrick O'Reilly" <patrick@mip.co.za> To: "FreeBSD Question List" <freebsd-questions@freebsd.org> Subject: Re: Gateway server "hanging" Message-ID: <NDBBIMKICMDGDMNOOCAIOEPOEBAA.patrick@mip.co.za>
next in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Patrick O'Reilly [mailto:patrick@mip.co.za] > > Hello everyone! > > Something I've never seen before happened yesterday - a > FreeBSD gateway/firewall server "hanging" ?!? > > The server is running ipfw and natd, and it handles routing > between 6 private networks, and one Internet connection. It > runs sshd (so I can do remote support), and net-snmp (so I > can monitor it with mrtg). > > Apart from these services, it does NOTHING ELSE! > > Yesterday evening it appeared to "hang". An on-site operator > reported that the keyboard would not even respond to the > num-lock key. Ctl-Alt-Del was also ignored. We were forced > to cycle the power! > > The last messages in /var/log/messages before the reboot were these: > ------------------------- > Feb 17 18:22:39 perimeter natd[506]: failed to write packet > back (Permission denied) > Feb 17 18:23:03 perimeter last message repeated 3 times > Feb 17 18:24:46 perimeter /kernel: 8.223:22 in via xl0 > Feb 17 18:51:11 perimeter /kernel: Copyright (c) 1992-2001 > The FreeBSD Project. > ------------------------- > > I understand the natd errors, but that "/kernel: 8.223:22 in > via xl0" is foreign to me. (xl0 is the NIC facing the Internet). > > Any clues anyone? > > PS: This server is 4.3 RELEASE. Perhaps an update would be in order? > > Regards, > Patrick. PPS: I've also discovered a pretty intensive port scan recorded in the ipfw.log. My entire Public IP range was scanned on port 22 (ssh), and all were denied, except, of course, the firewall's itself! The timing of that portscan exactly matches the "/kernel: 8.223:22 in via xl0" message in the message log. I'm assuming this is no co-incidence! I've done reverse lookup on the offending IP, and (no big surprise) it seems to be a dial-up account: ------------ Name: 200-207-89-155.dsl.telesp.net.br Address: 200.207.89.155 ------------ Regards, Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBIMKICMDGDMNOOCAIOEPOEBAA.patrick>